diff --git a/.github/workflows/validate-org-template.yml b/.github/workflows/validate-org-template.yml
index d0baa28..415fe6d 100644
--- a/.github/workflows/validate-org-template.yml
+++ b/.github/workflows/validate-org-template.yml
@@ -15,12 +15,10 @@ jobs:
       # 5 org-template repos as the validator evolved. Single source of
       # truth eliminates that drift class entirely. Mirrors the same
       # pattern already used by validate-workspace-template.yml.
-      - uses: actions/checkout@v4
-        with:
-          repository: molecule-ai/molecule-ci
-          path: .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
+      # Direct git-clone — see validate-plugin.yml for the rationale.
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
diff --git a/.github/workflows/validate-plugin.yml b/.github/workflows/validate-plugin.yml
index d99c058..bc23dd6 100644
--- a/.github/workflows/validate-plugin.yml
+++ b/.github/workflows/validate-plugin.yml
@@ -15,18 +15,19 @@ jobs:
       # 20+ plugin repos as the validator evolved. Single source of
       # truth eliminates that drift class entirely. Mirrors the same
       # pattern already used by validate-workspace-template.yml.
-      - uses: actions/checkout@v4
-        with:
-          repository: molecule-ai/molecule-ci
-          path: .molecule-ci-canonical
-          # Force anonymous fetch. molecule-ci is a public repo. On Gitea,
-          # actions/checkout@v4 sends the per-job ${{ github.token }} which
-          # is scoped to the calling repo only — Gitea 404s the cross-repo
-          # request instead of falling back to anon-public-read (different
-          # from GitHub's behaviour). Empty token bypasses auth entirely.
-          # See molecule-ci#1 commit + the post-public-flip CI run on
-          # plugin-molecule-careful-bash@663bf72 for the exact failure shape.
-          token: ''
+      # Direct git-clone instead of actions/checkout@v4 because:
+      # (a) actions/checkout@v4 sends Authorization: basic <github.token> by default,
+      #     and Gitea 404s the cross-repo authenticated request (different from
+      #     GitHub which falls back to anon-public-read).
+      # (b) Passing token: '' triggers actions/checkout's runtime "Input required
+      #     and not supplied: token" error — the input is documented as
+      #     required:false but the action's runtime calls getInput with
+      #     required:true on its auth-helper path.
+      # Anonymous git clone of public molecule-ci has neither problem.
+      # See molecule-ci#1 (lowercase fix) + #2 (token:'' attempt) +
+      # the post-merge CI run on plugin-molecule-careful-bash@663bf72.
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
diff --git a/.github/workflows/validate-workspace-template.yml b/.github/workflows/validate-workspace-template.yml
index bbc8fce..07d3495 100644
--- a/.github/workflows/validate-workspace-template.yml
+++ b/.github/workflows/validate-workspace-template.yml
@@ -54,12 +54,10 @@ jobs:
       # template repos as the validator evolved. Single source of truth
       # eliminates that drift class entirely — every template runs the
       # same canonical contract check on every CI run.
-      - uses: actions/checkout@v4
-        with:
-          repository: molecule-ai/molecule-ci
-          path: .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
+      # Direct git-clone — see validate-plugin.yml for the rationale.
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
@@ -135,12 +133,10 @@ jobs:
     if: github.event.pull_request.head.repo.fork != true
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
-        with:
-          repository: molecule-ai/molecule-ci
-          path: .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
+      # Direct git-clone — see validate-plugin.yml for the rationale.
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"